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1.  Introduction 


In  traditional  networks,  the  network  devices  perform  functions  of  control  and  data 
forwarding  in  the  same  node  (Fig.  1). 


Fig.  1  Schematic  of  traditional  network 

This  intertwining  of  both  functions  leads  to  static  and  inflexible  networks.  The 
Software  Defined  Networking  (SDN)1  is  a  new  paradigm  of  networking  in  which 
these  functions  are  separated.  The  control  functions  are  removed  from  the  devices 
and  put  in  a  centralized  SDN  Controller  (SDNC). 

An  SDN  network  has  the  following  functional  elements: 

•  Data  Plane  consists  of  forwarding  devices  (FDs;  e.g.,  switches  that  send 
incoming  flows  to  their  destinations  according  to  rules  defined  in  the  flow 
tables). 

•  Control  Plane  (CP)  makes  rules  for  forwarding  and  modifying  flows  and 
ensures  that  the  FDs  comply  with  them.  These  functions  are  exercised  by  a 
central  network  element,  or  SDNC,  which  communicates  with  southbound 
FDs  using  a  protocol.  Currently  OpenFlow2  is  the  most  widely  used 
protocol  for  this  purpose. 

•  Application  Plane  (AP)  contains  many  services  like  security,  load 
balancing,  routing,  firewalls,  and  the  like.  The  CP  communicates  with  AP 
using  North  Bound  Interfaces  for  which  a  standardized  protocol  is  not 
available  at  this  time. 

The  Management  Plane  handles  tasks  like  setting  up  of  network  and  its 
configuration  parameters.  It  is  not  programmable  and  is  isolated. 
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2.  Cognitive  Control 


2.1  Need  for  Cognitive  Control 

The  current  SDNC  is  a  policy-driven  entity.  The  network  devices  operate  on 
packets  according  to  whether  the  incoming  packet  header  pattern  matches  with 
existing  entries  in  the  flow  table.1,2  In  the  event  of  no  match,  the  packet  is  sent  to 
the  SDNC,  which  decides  what  to  do  with  it  based  on  the  policies.  This  approach 
has  severe  limitations,  as  its  applicability  depends  on  the  existence  of  policies  to 
cover  a  vast  number  of  possible  deviations  from  the  normal  or  baseline  situation. 
As  an  example,  the  SDNC  cannot  make  appropriate  decisions  when  confronted 
with  zero-day  attack  packets.  The  cognitive  intelligence  applied  to  SDNC  can 
alleviate  most  of  these  issues. 

Earlier  works  on  detecting  the  traffic  anomaly  due  to  port  scan  attack  in  an  SDN 
network  have  focused  more  on  architecture  and  flow  management  methods.3-6  In 
this  work,  we  seek  to  find  a  signature  of  the  port  scan  attack  by  applying  a  simple 
cognitive  algorithm  on  the  control  plane. 

2.2  Elements  of  Cognitive  Control 

The  cognitive  control  has  the  following  3  elements,  as  illustrated  in  Fig.  2: 

•  Network  devices  as  sensors  and  observers  of  the  networking  environment 

•  A  store  of  prior  knowledge  consisting  of  policy  decisions  based  on  earlier 
interactions  of  network  with  its  environment 

•  Cognitive  Controller  (CC)  as  a  planning  and  execution  module  taking 
appropriate  actions  when  presented  with  newly  sensed  and  observed 
networking  data  (Fig.  3) 

The  second  step  can  be  implemented  by  using  the  principles  of  neural  networking. 
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Applications 


*  % 


Nelwotk  Devices 


Fig.  2  Schematic  of  software-defined  network 


Fig.  3  Elements  of  cognitive  controller 

3.  Simplified  Cognitive  Control  Model  for  Port  Scan  Detection 

3.1  Port  Scan  Signature 

Let 

T  =  a  chosen  time-interval, 

N  =  a  chosen  number,  and 

v(T)  =  the  number  of  consecutive  packets  received  during  T. 
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The  source  and  destination  information  inside  the  arriving  packets  is  assumed  to  be 
random.  The  signature  of  a  hacker  executing  a  port  scan  attack  will  be  the  probing 
of  different  port  numbers  to  find  the  weaknesses  in  the  network. 

In  Eq.  1,  n(T)  is  the  number  of  consecutive  packets  having  same  source  but 
different  port  numbers  arriving  in  time  interval  T.  Then  the  signature  of  the  port 
scan  attack  is  given  by  the  following  relation: 

n(T)  >  N.  (1) 

3.2  Logical  Steps  in  the  Port  Scan  Detection  Process 

Our  simplified  CC  model  for  detecting  port  scan  attack  has  the  following  entities: 

•  2  OpenFlow  switches  (Sw-1  and  Sw-2)  that  contain  flow  tables  (FTs)  with 
baseline  rules 

•  The  CC  is  the  module  of  the  general  SDNC  with  intelligence  to  recognize 
port  scan  attacks.  It  has  access  to  a  memory  buffer  for  storage  and  contains 
a  Time  Counter  cycling  between  0  and  T.  It  also  stores  a  chosen  threshold 
number,  N,  defined  earlier. 

The  CC  examines  the  packet  flows  according  to  the  following  logic. 

At  the  start,  the  switch  Sw-1  receives  a  packet  from  the  packet  source  Src-host. 

1)  Sw-1  matches  the  header  attributes  of  a  packet  against  the  rules  in  its  FT 
and  enforces  the  rule  for  a  matching  entry. 

2)  Sw-1  sends  a  nonmatching  packet  to  the  CC. 

a.  The  CC  reads  the  header  attributes  source  (sn),  destination  (dn),  and  port 
number  (pn)  as  a  3-tuple  at  the  related  time  instant,  tn.  It  compares  them 
with  entries  in  an  internal  table  of  black  listed  sources. 

b.  For  matching  sn,  CC  instructs  both  Sw-1  and  Sw-2  to  drop  all  incoming 
packets  from  that  source. 

c.  For  nonmatching  sn,  CC  sends  the  packet  to  a  decision  block. 

3)  CC  compares  the  current  source  value  sn  with  earlier  instant  source  value 

Sn-l. 


a.  For  sn  ^  sn-i  (different  sources  in  consecutive  packets),  CC  instructs  both 
Sw-1  and  Sw-2  to  add  a  new  rule  corresponding  to  this  packet  to  their 
FTs. 
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b.  For  sn  =  Sn  i  (same  source  in  consecutive  packets),  CC  sends  the  packet 
to  a  new  decision  block. 

4)  CC  compares  the  current  port  value  pn  with  earlier  instant  port  value  pn-i. 

a.  For  pn  =  pn-i  (same  port  in  consecutive  packets),  CC  instructs  Sw-1 
and  Sw-2  to  add  a  new  rule  corresponding  to  this  packet  to  their  FTs. 

b.  For  pn  ^  pn-i  (different  ports  in  consecutive  packets),  CC  sends  the 
packet  to  a  new  decision  block. 

5)  CC  compares  the  packet  arrival  sequence  number  n  (an  integer)  with  a 

preset  integer  N. 

a.  For  n  <  N  (the  packet  counter  less  than  or  equal  to  the  preset  integer), 
CC  lets  the  packet  go  to  its  destination. 

b.  For  n  >  N  (the  packet  counter  greater  than  the  preset  integer),  CC 
determines  the  arrival  of  the  packet  as  signature  of  a  port  scan  attack. 
CC  immediately  blocks  the  source,  puts  it  in  the  black  list,  and  sends 
an  alert  to  the  management. 


3.3  Model  Used  in  Current  Approach 

In  this  report,  we  have  used  the  logical  steps  described  in  Section  3.2  as  guidance 
for  the  current  investigations  as  given  in  Fig.  4. 


Fig.  4  Decision  blocks  for  cognitive  control 


4.  CC  Module 


The  steps  shown  in  Fig.  4  were  coded  in  C++,  and  the  raw  packets  were  taken  from 
a  CAIDA  archive7  of  real-time  network  data.  The  operational  logic  coded  in  C++ 
is  shown  in  the  following  code. 
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Packet: : Packet ( std : :string  Packetlnfo) 

{ 

//put  packet  properties  into  the  variables 
stringstream  packetSt ream( Packetlnfo) ; 
packetStream  »  source; 
packetStream  »  destination; 
packetStream  »  timestamp; 

> 

//getters  that  return  in  following  variable 
int  Packet :: getSource( ) 

{ 

return  source; 

> 

int  Packet :: getDestination( ) 

{ 

return  destination; 

> 

int  Packet :: getTimeStamp( ) 

{ 

return  timestamp; 


The  following  code  snippet  describes  the  Packet  object  and  its  attributes. 


PacketList: ; PacketList ( st ring  filePath) 

{ 

ifstream  packetFile(filePath);  //read  from  file  from  the  give  filepath 
//read  in  line  from  file  one  at  a  time 

string  lineContents; 

while( ! packetFile.eof ( ) )  //keep  looping  until  you  rech  the  end  of  file 

{ 

get line (packetFile,  lineContents);  //read  line  from  file  arguments  are  (file  reading  fro  and  string 
reading  line  into 

Packet  p( lineContents);  //  parse  the  line  as  one  packet  (contents  of  the  packet) 
packets. push_back(p);  //push  that  packet  on  to  the  vector  (packets  is  a  vector) 

} 

packetFile. closed;  //close  file 

//s  ort  by  time  stamp  by  latest  to  earliest 
sort ( packets. begin( ) f  packets.endO,  [] (Packet  &pl,  Packet  &s2) 

{ 

return  pl.getTimeStampO  >  s2.getTimeStamp(); 

}); 


The  following  code  gives  a  sample  of  a  logic  test.  If  the  sources  are  the  same,  this 
will  be  allowed  and  will  print  that  this  is  okay;  if  not,  it  will  break  out  of  this  check. 
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Packet  PacketList  ::  checkSource( ) 
{ 


for(Packet  p  :  packets) 

{ 

if (p.getSource( )  ==  p.getSource( ) ){ 
cout  «  "allow"«endl; 


} 

else{ 

break; 

} 

> 

return  toReturn; 

> 


5.  Conclusions 


In  the  current  work,  we  showed  that  a  simple  algorithm  was  able  to  identify  the 
traffic  anomaly  due  to  a  port  scan  attack  This  is  an  example  of  cognitive 
intelligence,  which  can  be  added  to  the  SDNC  as  part  of  its  computing  engine.  In 
the  future  we  want  to  investigate  extensions  of  this  approach  to  a  larger  network 
with  more-complex  topology.  We  also  want  to  investigate  other  algorithms  to 
detect  a  denial  of  service  attack  in  conjunction  with  port  scan  attack.  This  algorithm 
can  be  implemented  as  a  module  in  any  SDNC  (e.g.,  NOX  or  OpenDay Light).  We 
will  also  test  this  approach  with  socket  programming  with  real  network  traffic  on 
the  GENLOpenFlow  Platform. 
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AP 

CC 

CP 

dn 

FD 

FT 


Pn 

SDN 


Sn 

SDNC 

tn 


Application  Plane 
Cognitive  Controller 
Control  Plane 
destination 
forwarding  device 
flow  table 
port  number 

Software-Defined  Networking 
source 

Software-Defined  Networking  Controller 
time  instant 
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